CVE-2025-10897 is a path traversal vulnerability classified under CWE-22 found in the WooCommerce Designer Pro theme for WordPress, developed by JMA Plugins. This vulnerability affects all versions up to and including 1.9.28. The root cause is the improper limitation of pathname inputs, which allows attackers to manipulate file path parameters to access files outside the intended directory. Because the theme fails to properly sanitize or restrict file path inputs, an unauthenticated attacker can craft requests that read arbitrary files on the web server. The most critical impact is the ability to read the wp-config.php file, which contains database credentials and other sensitive configuration data. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk. The CVSS v3.1 base score is 8.6 (high), reflecting the network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change due to potential access to sensitive data. While no public exploits are currently known, the vulnerability’s nature and impact make it a significant threat to affected WordPress sites. No official patches have been linked yet, so mitigation relies on configuration changes or temporary workarounds until a fix is released.

The primary impact of this vulnerability is the compromise of confidentiality through unauthorized disclosure of sensitive files on the server. Attackers can obtain database credentials by reading wp-config.php, which can lead to further attacks such as database compromise, data exfiltration, or privilege escalation. Although the vulnerability does not directly affect integrity or availability, the exposure of credentials can indirectly enable more damaging attacks. Organizations running WooCommerce Designer Pro on WordPress sites, especially e-commerce platforms, face risks of customer data exposure, financial fraud, and reputational damage. The ease of exploitation without authentication and user interaction means attackers can automate scanning and exploitation at scale, increasing the threat landscape. The scope of affected systems is broad because all versions of the theme up to 1.9.28 are vulnerable, and WooCommerce is widely used globally. The lack of known exploits in the wild currently reduces immediate risk but does not diminish the urgency for mitigation.

1. Immediately monitor for updates or patches from JMA Plugins and apply them as soon as they become available. 2. In the absence of an official patch, restrict access to sensitive files such as wp-config.php via web server configuration (e.g., using .htaccess rules or nginx directives) to prevent unauthorized HTTP access. 3. Implement web application firewall (WAF) rules to detect and block path traversal attempts targeting the vulnerable theme endpoints. 4. Review and harden file permissions on the server to ensure that web server processes have minimal access to sensitive files. 5. Disable or remove the WooCommerce Designer Pro theme if it is not essential, or replace it with a secure alternative. 6. Conduct regular security scans and audits to detect any unauthorized file access or suspicious activity. 7. Educate site administrators on the risks of using outdated or unpatched plugins and themes and enforce strict update policies. 8. Consider isolating WordPress instances in containerized or sandboxed environments to limit the impact of potential breaches.